n.runs-SA-2008.002 - F-Prot Out-of-Bound Memory Access DoS (remote)

2008-07-19T00:00:00
ID SECURITYVULNS:DOC:20188
Type securityvulns
Reporter Securityvulns
Modified 2008-07-19T00:00:00

Description

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.002 16-Jul-2008


Vendor: FRISK (F-Prot), http://www.f-prot.com Affected Products: F-Prot Anti-Virus all platforms Vulnerability: Out-of-Bound Memory Access DoS (remote) Risk: HIGH


Vendor communication:

2008/01/22 initial notification to FRISK 2008/01/22 FRISK Response 2008/01/22 PGP public keys exchange 2008/01/23 n.runs has problems importing FRISK's provided public key, so proceed to search on the key servers and import the available ones and informs FRISK about it 2008/01/23 FRISK replies that the keys on the key server are fine to be used. 2008/01/23 PoC files sent to FRISK 2008/01/26 FRISK acknowledges the PoC files and informs about having some problem reproducing them and requests exact version and configuration used to trigger the vulnerability 2008/01/28 FRISK communicates to n.runs that they were able to reproduce one of the issues that they had just fixed and that the update will be included in the upcoming update 2008/01/28 n.runs thanks FRISK for such a quick response, provides the exact version used while bug hunting and informs that the issues were found about a year before; the reason of the late report is because it was overseen until now. 2008/01/29 FRISK replies that the version used in the test is quite old (4.3.1 against actual 4.4.3) and that during that time many bugs had been fixed 2008/03/16 n.runs realizes that FRISK has released the update because of a post on 27.Feb.2008 at the following link: http://www.wilderssecurity.com/showpost.php?p=1191859&postcount=98 n.runs decides to not launch the advisory because couldn't find an official post. 2008/07/10 n.runs finds the official announcement: http://www.f-prot.com/download/ReleaseNotesWindows.txt 2008/07/16 n.runs releases this advisory


Overview:

FRISK Software International, established in 1993, is one of the world's leading companies in antivirus research and product development.

FRISK Software produces the hugely popular F-Prot Antivirus product range offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that increasingly clog up inboxes and threaten data security. By supporting a wide range of platforms FRISK Software protects computer networks of all sizes, running on diverse platforms. As a result, FRISK Software provides its customers with comprehensive computer security solutions.

Description:

A remotely exploitable vulnerability has been found in the files' parsing engine.

In detail, the following flaw was determined:

  • DoS caused by an Out-of-Bound Memory Access while parsing CHM file's header: if the nb_dir field (Chunk number of root index chunk) value is set to 0xffffffff pointers math takes place and ends up in an out-of-bound read attempt.

Impact:

This problem can lead to remote denial of service if an attacker carefully crafts a file that exploits the aforementioned vulnerability. The vulnerability is present in FRISK Anti-virus software mentioned above, in all platforms supported by the affected products prior to the engine Version 4.4.4.

Solution:

The vulnerability was reported on 22.Jan.2008 and the engine 4.4.4 has been issued to solve this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document.

n.runs AG wants to highlight the excellent and fluent communication with FRISK and its very quick response to validate and fix the issue.


Credit: Bugs found by Sergio Alvarez of n.runs AG.


References: http://www.f-prot.com/download/ReleaseNotesWindows.txt [1]

This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php


Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.